November 7th, 2005, 03:46 AM
trojan pestering my box
just how can i get rid of a trojan which i dont know how to get rid of. i know my server is infected with it and compromise but how could i possibly clean up my server. the past computer guys from where i work been using windows which, to me is just ok. it has been infected even before i got here on my work. any advices, what anti-spyware softwares to use, firewalls, etc.? please help me. thanks so much
November 7th, 2005, 03:57 AM
Boot into safe mode, run an AV (if you dont have one, google "trendmicro housecall")or download the free edition of AVG from Grisoft. Install ad-aware or spybot S&D (or both), do a scan in safe mode. If you still see problems, post again.
How do you know your server is infected ?
StreetsCrack.com Join The Best Music Social Network Online.
Music downloads, promotions, forums, profile, games etc...
November 7th, 2005, 04:19 AM
If it's on your server, I have a suggest you may not like. Backup your critical files, and wipe the system clean. Just getting rid of the trojan could be good, but it the "hacker" (if you can even call them that) may have left other things, such as keyloggers, other ways in, etc. in the system. To make sure your system is completely secure, you should backup what you need, wipe it clean, and start over.
Now, as Copyright pointed out, make sure you run an AV scan, and make sure you have a firewall running (both can be found by a quick Google search.) Make sure you also are sure the AV program, and virus definitions are up-to-date, and the firewall has a correct ruleset for your server.
November 7th, 2005, 05:23 AM
i've come up with a new installation..all clean...i only backed-up the website files. i've checked it out at dshield.org and still an attacker or still compromised.i'll try those. and be back what i got. thanks....btw, am just using a windows2k adv. server.
November 7th, 2005, 08:38 AM
Your saying that you have formatted and your still compromised ?. It's a webserver ? there could be a ASP backdoor in one of the sites. If not one of your back up files is hinding something more than likely an ASP backdoor such as NTdaddy or a custom wrote one hpw many sites does the server host ? what patches have been applied how many services running and what services are running run netstat -b to see whats connected and what program is thats connecting out to see if a trojan or something like netcat has been up-loaded through such said backdoor. Curious how did you find out you were compromised in the first place also run a highjack this log and post it
By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
The 20th century pharoes have the slaves demanding work
November 8th, 2005, 03:39 AM
hello prodikal..my servers seems working fine now. but then i'll try to answer your questions for info.
about a year before i got here, they have a mail server (set up on the same box i mentioned, and still using that as a server right now, but without the mail server solely for web) and is reported from the provider of the DSL that the server was being zombied. we tried formatting that with a new OS (XP) as a server still. days ago, i've noticed some folders on my webserver's document root. and is nothing to do with our website. good thing they didn't touch anything with our website and deface it. "they" we're only there to make use of my server and use it as a link to their files and causing my box to move slow (46 files of 40MB each). they've put up some sort of a DVD ripped files. and later found out that they reside in a french country.
i've used the tools u all AO's suggested and i hope my box work fine. thanks a lot for the help.